Multi-factor authentication or MFA is a means for providing enhanced security to a login process by requiring the person attempting to login to an account or access something that has been secured to provide a second level or even a third level of identity confirmation before being granted access. Typically, the first level of authentication is for the user to input a user ID and password combination. Once that has been satisfied, the program accepting the login information will initiate its own MFA process. A typical MFA system will require the user to enter a one-time algorithmically generated numeric or alphanumeric code generated by and known to the program accepting the login information and provided to the person attempting to login via a secondary delivery mechanism such as, for instance, a short message service (SMS) text message. If the login procedure employs further means of authentication, those may include answering a personal question that has been previously entered and answered such as, for instance, “what color was your first car?” Collectively, the additional levels of authentication enhance the overall security of the login procedure.
The techniques described herein are directed to a particular authentication process termed rolling code authentication. The rolling code authentication technique described herein may be used in conjunction with one or more other authentication techniques to create a multi-factor authentication process.
Alternatively, the program accepting the access request information through its account login page may employ a 3rd party authentication system that uses algorithms and shared secret keys to generate temporary character codes. There are many commercial products or systems that provide the character generating part of the system. One such product is the Google authenticator application. Google authenticator is an application that may be downloaded to and executed on a mobile computing device like a smartphone, a tablet computing device, a laptop computing device, a desktop computing device, or a special purpose hardware fob. Regardless of the type of computing device used, the function is essentially the same.
Specifically, an authentication system will generate a Time-based One-Time Password (TOTP) using an algorithm. The password (typically a string between six and eight characters in length) will be displayed by an application like Google Authenticator for a defined short duration—e.g., 30 seconds before it disappears and the next TOTP character string is generated. The user must input the current TOTP character string before it expires into a box provided by the account login page. If the entered character string does not match the expected character string, the access request will fail. In TOTP authentication systems, the user and the program accepting the access request information share a secret key that allows each to use the TOTP algorithm to generate the exact same TOTP character string.
Because the access request page is also privy to the stream of TOTP character strings generated it can compare the entered character string with the actual character string(s). Often, a grace period may be built into the process wherein a TOTP character string entered may have expired during entry but is sufficiently close in time to the period in which the TOTP character string existed. In such cases, the account access request program may still accept the ‘late’ entry of the recently expired TOTP character string. This grace period may be controlled by the account access request program such that it may be programmed to accept any valid TOTP character string that occurred within the last “x” number of minutes. The greater the value for “x”, the less secure the system may be but it may be justified nonetheless by the account access request program. It should also be noted that the length of the TOTP character string may be controlled as well. A six character TOTP character string like that described above is merely exemplary. Thus, there may be a tradeoff between a longer length of a TOTP character string (more secure) with the requirement for a longer acceptance window (less secure) because humans need more time to type in the longer number.
What is needed are techniques to provide a more robust and secure TOTP character string authentication application.